Bug 505851 - SELinux is preventing access to files with the label, file_t.
SELinux is preventing access to files with the label, file_t.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-14 06:40 EDT by Juergen Wieczorek
Modified: 2009-06-15 15:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-15 15:11:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Juergen Wieczorek 2009-06-14 06:40:45 EDT
Description of problem:


Zusammenfassung:

SELinux is preventing access to files with the label, file_t.

Detaillierte Beschreibung:

SELinux permission checks on files labeled file_t are being denied. file_t is
the context the SELinux kernel gives to files that do not have a label. This
indicates a serious labeling problem. No files on an SELinux box should ever be
labeled file_t. If you have just added a new disk drive to the system you can
relabel it using the restorecon command. Otherwise you should relabel the entire
files system.

Zugriff erlauben:

You can execute the following command as root to relabel your computer system:
"touch /.autorelabel; reboot"

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:xdm_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:file_t:s0
Zielobjekte                   jwi [ dir ]
Quelle                        kdm_greet
Quellen-Pfad                  /usr/libexec/kde4/kdm_greet
Port                          <Unbekannt>
Host                          marvin42.local
Quellen-RPM-Pakete            kdm-4.2.2-5.fc11
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.12-39.fc11
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   file
Hostname                      marvin42.local
Plattform                     Linux marvin42.local 2.6.29.4-167.fc11.x86_64 #1
                              SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Anzahl der Alarme             2
Zuerst gesehen                Sa 13 Jun 2009 12:36:29 CEST
Zuletzt gesehen               Sa 13 Jun 2009 12:36:29 CEST
Lokale ID                     7fa206e6-945a-41c3-9f12-9e85f568e20d
Zeilennummern                 

Raw-Audit-Meldungen           

node=marvin42.local type=AVC msg=audit(1244889389.339:13235): avc:  denied  { search } for  pid=2002 comm="kdm_greet" name="jwi" dev=sda8 ino=4767745 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=dir

node=marvin42.local type=SYSCALL msg=audit(1244889389.339:13235): arch=c000003e syscall=2 success=no exit=819625944 a0=1637f68 a1=800 a2=1637f68 a3=7fffd04aa620 items=0 ppid=1991 pid=2002 auid=4294967295 uid=0 gid=0 euid=99 suid=0 fsuid=99 egid=99 sgid=0 fsgid=99 tty=(none) ses=4294967295 comm="kdm_greet" exe="/usr/libexec/kde4/kdm_greet" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
Comment 1 Miroslav Grepl 2009-06-15 01:02:48 EDT
Did you try what the setroubleshoot command told you to do?

touch /.autorelabel; reboot


This will fix the labeling problem. But question is how you got files without labels on to your system.
Comment 2 Miroslav Grepl 2009-06-15 01:06:43 EDT
Did you add a disk created on a non SELinux system ?
Comment 3 Juergen Wieczorek 2009-06-15 04:10:30 EDT
Ah, now I see.
The /home partition is shared with other systems on my machine.
Comment 4 Daniel Walsh 2009-06-15 15:11:24 EDT
If you want the /home to remain unlabeled or be share with systems that do not support SELinux you can use a mount option on SELinux

mount -o context=system_u:object_r:user_home_t:s0 DEVICE /home

Or add this to /etc/fstab.

Then SELinux will treat the entire disk as being labeled as user_home_t,  If you have problems with this, you could try nfs_t, and make pretend the homedir is an NFS share,  Then everything will work.

Note You need to log in before you can comment on or make changes to this bug.